Category Archives: Authenticate

Working on Many Chains? Multiple Panes Will Ease the Pain! Learn How to Split Amped FIVE’s Viewer and Boost Your Work

Hello, Tip Tuesday’s loyal friends! With all the enhancement and restoration tools featured in Amped FIVE, it can easily happen that you are undecided about which filter is better to use in a specific case, or which filter configuration is the best. This week’s Tip will show you how to visually compare the output of different chains and hopefully settle the question quickly.

Continue reading

Better to Take a Look Than to Overlook: Image Thumbnails May Contain Hidden Information, Authenticate Helps You Find Out!

Hello Amped blog readers! Following last week’s Tip Tuesday idea that “simple things matter”, today we’ll show you how one of the most straightforward filters in Amped Authenticate, that is, the Thumbnail filter, can sometimes reveal interesting information.

First of all, what is the image thumbnail? It is (well… it should be) a much lower resolution version of the image, commonly in the order of 160 x 120 pixels. It is mostly used by file/image manager applications for efficiently creating image galleries: they just need to decode a few thousand instead of millions of pixels during gallery creation and browsing, while the full-size picture will be decoded when the user “opens” it. The Exif standard provides rules for embedding the thumbnail into the image file as a stand-alone JPEG object, allowing to decode it without having to process the full-sized image.

Continue reading

Even the (Byte)Streams Can Tell More Than It Seems: Learn How to Spot Hidden Data in Images Using Amped Authenticate!

This week is Amped Authenticate‘s turn, and we are going to look at our images from a different perspective than usual, that is… their bytestream! We’ll see how Amped Authenticate’s Hex Viewer and Hex Strings filters can help you spot hidden information in your evidence images.

Continue reading

Recaptured Images Are a Good Way to Fool Forensic Analysts… but Not those Equipped with Amped Authenticate!

Hello dear Amped Blog readers, welcome to this week’s Tip Tuesday. Today we’ll be dealing with one of the most sneaky kinds of fakes: recaptured images. A recaptured image is a “picture of a picture”: you display your (possibly forged) image on a screen, or you print it on paper, and then you take a picture of it. This apparently naive approach is much more clever than it seems: the obtained image will be a “camera original” image to all extents, so it will likely pass every test based on metadata/format analysis. Are we left alone against this subtle threat? Of course not, Amped Authenticate is here to help. Let’s find out how.

Continue reading

Amped Authenticate’s “Show Saturation” Feature Saves You from April Fools!

April Fools’ Day has just passed and we hope you didn’t go through any nasty trick! Alas, for people working with digital evidence, the risk of getting fooled by some ambiguous finding is always around the corner. In the case of digital image forensics, among the most frequent pitfalls, we find false positives produced by forgery localization algorithms (that is, when an algorithm marks as manipulated a region that was not so). Today’s Tuesday Tip deals with them and shows how Amped Authenticate helps you rule out some of them.

Continue reading

Is your image embedded in a PDF file? No worries, Amped Authenticate can handle that!

Welcome to this week’s Tip Tuesday! Today we are showing you an interesting, perhaps a bit hidden, functionality of Amped Authenticate. There is no need to introduce the PDF file format: it is surely the most widespread format for sharing digital documents. Therefore, it may easily happen that you have to deal with a PDF containing images and that some of them get questioned.

What would you do in such a case (after realizing that if you drag-and-drop the PDF into Amped Authenticate, nothing happens, because it’s not an image file)? Would you take a screen capture of the picture and work with that? “Nooo!” – I hope you said! Screenshots are evil for image forensics! Ok, you would get some pixels to work with, but you would lose all metadata, you would lose encoding properties, you could be recompressing data… That means you cannot check image integrity, and finding manipulations becomes much harder. No, there’s a better way of dealing with images embedded in PDFs, and we’ll show you how!

Continue reading

Quick Triage with Amped Authenticate’s Batch File Format Analysis Can Save You Lots of Time

Dear Amped friends, welcome to this week’s Tip Tuesday!

In our last Tip we’ve talked about how Amped FIVE users can save time by trimming and cropping the video they’re working on, so to focus the analysis only on interesting parts. Probably, we opted for that topic because February is the shortest month, and it may give you the feeling that time flows away too quickly. Since we can’t stop time, let’s at least save it when possible!

This week is Amped Authenticate‘s turn, so let’s see how we can save time when investigating our digital images. Once more, it’s a matter of focus: to save time, we have to focus the analysis on the right images (i.e., properly select them) and run only the analysis filters that we need on them. We will focus on the first aspect today, and leave the second for a coming-soon Tip.

Continue reading

Log-Scale: A Great Ally for Plot Interpretation!

Amped Authenticate users know how important it is to understand the processing history of an image, and they (hopefully!) know that “processing history” does not mean just splicing.
For example, there are cases where the image has been scaled or re-compressed, and
when one of these happen you should be aware of it, as they bring important consequences to the rest of your investigation.

Amped Authenticate offers many tools for processing history analysis under the Global Analysis filter category. Some of these, for example the DCT Plot, the Correlation Plot, and the JPEG Ghost Plot are… plots! They should be examined carefully, because we know that artifacts like a “comb-shaped” DCT histogram strongly suggests double JPEG compression, and so does a JPEG Ghost Plot with multiple local minima. The problem is… sometimes it’s just hard to see these artifacts, because they are “hidden” in the plot!

Consider the image below: at a first glance, its DCT Plot for DCT Frequency 4 seems rather “smooth”, and you could easily overlook it.

Continue reading

Exif Metadata Sometimes Tells More Than it Seems

As Amped Authenticate users hopefully learned during our training courses, authenticating a digital image means much more than attaching a fake/real label to it. In some cases, you may be asked whether the integrity of a questioned digital image is preserved (or broken). In such a case, forgery localization tools should not be your first choice from Authenticate’s powerful arsenal.

Indeed, proving that the integrity of an image is “broken” means demonstrating that the image file is not the original file produced by the acquisition device; instead, it has been processed after acquisition. “What” happened during the processing may even not be of interest, because in some cases broken integrity alone is enough to discard a potential evidence.

That’s why we always stress the importance of tools under Amped Authenticate’s File Analysis category: they are the best way to screen image properties, metadata and coding details looking for unexpected or suspicous elements.

In this post, I’ll share with you a tip that could prove important in your cases: check for un-updated Exif image resolution tags! Let’s take this nice picture from a Sony Xperia XA1 smartphone (formally called G3112), and let’s imagine we are asked to validate its integrity: is this an original file, untouched since acquisition?

Continue reading

Clones Blocks and Clones Keypoints: which one is better?

Clone detection (aka “copy-move detection”) is a very important image authentication task. Clones are a special case of image manipulation where part of an image is copied, possibly resized, rotated, sheared, etc., and then pasted to another region of the same image. The two main applications of cloning are:

  • creating multiple (fake) copies of an object through copy-paste;
  • removing an object from the scene by covering it with a cloned portion of the background.

This is explained with a very simple example in the image below.

Two possible ways of using copy-move to create a fake image.

The image forensics research community worked hard to develop techniques for clone detection, and two main approaches have been invented: block-matching and keypoint-matching. As suggested by their names, they are based on two different strategies, briefly explained below.

Block-matching approach

  1. Split the image in overlapping blocks;
  2. Compute a digest (“descriptor”) for each block, possibly robust to rotation, scaling, compression, etc.;
  3. Search for clusters of matching descriptors.

Keypoint-matching approach

  1. Detect keypoints (SIFT, SURF, BRISK, etc.) from the image;
  2. Compute keypoint local descriptors;
  3. Search for (clusters of) matching keypoints.

Which one is better? It depends, and we try to explain why with the table below:

So, if your question was: “Do I need a block- or a keypoint– based algorithm for my analysis?”, the answer is: you need both!

That’s why Amped Authenticate features both algorithms under the Local Analysis category: Clones Keypoints and Clones Blocks. Let’s compare their output on the sample image we used in this article:

We see that the cloned seagull (top row) is detected by the Clones Keypoints despite the strong down-scaling applied to the cloned object; such a geometrical transformation is too strong to be detected by Clones Blocks. On the other hand, Clones Blocks successfully detects the cloned background (bottom row), that is not detected by Clones Keypoints because the cloned area is just too flat and it does not contain enough keypoints.

We hope you enjoyed this quick tip! Stay tuned and don’t miss our next #ampedtiptuesday post!